Webseclab – Web security test cases and a construction toolkit

Webseclab – Web security test cases and a construction toolkit(github.com)

114 points by Allstar 11 years ago | 6 comments

dguido 11 years ago |

If you're planning on scanning all of your web apps at scale, you probably want to know what you can find and what you'll miss.

As for competitors, I think there is WavSep but I'm not sure how suitable it is for Yahoo's use case (it looks like an overgrown J2EE app). People involved in that project infrequently rank scanners on their blog:

* https://code.google.com/p/wavsep/

* http://sectooladdict.blogspot.ro/2014/02/wavsep-web-applicat...

I have the feeling that the Yahoo bug bounties are about to get a whole lot harder to claim.

dsacco 11 years ago | |

This is good news. Yahoo has demonstrated that they can manage the largest bug bounty program in the world. Now it's time to elevate the difficulty of finding vulnerabilities to the same status as Google or Facebook.

Unfortunately, this will do nothing for the engineering hours being sunk into monitoring the thousands of invalid reports submitted each year.

what-no-tests 11 years ago |

No tests? Hello?

jdawg77 11 years ago |

This can't be because the most advanced unit in the entire United States Military reminded the world that, last month, they already played the trump card can it?

http://www.army.mil/article/141734/Army_cyber_defenders_open...

Nah; that must be a coincidence. After all, why would somebody after the US Military try to convince people that their security was better? Do you honestly think Yahoo has better stuff than the Tony Stark of the armed forces?

Please. Let's see, Ycombinator's got some ex-Yahoo's as alumni, I'm sure they'll chime in and disagree with me any moment. Yep yep. Bring it.

dguido 11 years ago | |

Sorry, but did you even read either article before posting your unintelligible conspiracy theory? One does packet parsing and the other verifies ability to assess webapp vulnerabilities.

https://github.com/USArmyResearchLab/Dshell

tehlark 11 years ago | | |

Clearly he didn't even read the first word of the title. =)